Closed Bug 1483735 Opened 6 years ago Closed 4 years ago

Assertion failure: !aRoot || (!aStart.IsSet() && !aEnd.IsSet()) ... at src/dom/base/nsRange.cpp:970

Categories

(Core :: DOM: Selection, defect, P3)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox63 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
439 bytes, text/html
Details
Attached file testcase.html 
Reduced with m-c:
BuildID=20180815094930
SourceStamp=4494389e577e6529815d43de71268b8837bd79c6

Assertion failure: !aRoot || (!aStart.IsSet() && !aEnd.IsSet()) || aNotInsertedYet || (nsContentUtils::ContentIsDescendantOf(aStart.Container(), aRoot) && nsContentUtils::ContentIsDescendantOf(aEnd.Container(), aRoot) && aRoot == IsValidBoundary(aStart.Container()) && aRoot == IsValidBoundary(aEnd.Container())) (Wrong root), at src/dom/base/nsRange.cpp:970

#0 nsRange::DoSetRange(mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsINode*, bool) src/dom/base/nsRange.cpp:961:3
#1 nsRange::CloneRange() const src/dom/base/nsRange.cpp:2604:10
#2 mozilla::HTMLEditRules::GetPromotedRanges(nsTArray<RefPtr<nsRange> >&, mozilla::EditSubAction) src/editor/libeditor/HTMLEditRules.cpp:7238:47
#3 mozilla::HTMLEditRules::GetNodesFromSelection(mozilla::EditSubAction, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:7918:3
#4 mozilla::HTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::EntireList, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:7563:19
#5 mozilla::HTMLEditRules::GetListState(bool*, bool*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:824:17
#6 mozilla::HTMLEditor::GetListState(bool*, bool*, bool*, bool*) src/editor/libeditor/HTMLEditor.cpp:1973:21
#7 mozilla::GetListState(mozilla::HTMLEditor*, bool*, nsTSubstring<char16_t>&) src/editor/libeditor/HTMLEditorCommands.cpp:1632:30
#8 mozilla::RemoveListCommand::IsCommandEnabled(char const*, nsISupports*, bool*) src/editor/libeditor/HTMLEditorCommands.cpp:451:17
#9 nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, bool*) src/dom/commandhandler/nsControllerCommandTable.cpp:98:26
#10 nsBaseCommandController::IsCommandEnabled(char const*, bool*) src/dom/commandhandler/nsBaseCommandController.cpp:105:25
#11 nsWindowRoot::GetEnabledDisabledCommandsForControllers(nsIControllers*, nsTHashtable<nsCharPtrHashKey>&, nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) src/dom/base/nsWindowRoot.cpp:266:25
#12 nsWindowRoot::GetEnabledDisabledCommands(nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) src/dom/base/nsWindowRoot.cpp:292:5
#13 (anonymous namespace)::ChildCommandDispatcher::Run() src/dom/base/nsGlobalWindowOuter.cpp:6212:12
#14 nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) src/dom/base/nsContentUtils.cpp:5657:13
#15 nsContentUtils::AddScriptRunner(nsIRunnable*) src/dom/base/nsContentUtils.cpp:5664:3
#16 nsGlobalWindowOuter::UpdateCommands(nsTSubstring<char16_t> const&, mozilla::dom::Selection*, short) src/dom/base/nsGlobalWindowOuter.cpp:6257:9
#17 nsDocViewerSelectionListener::NotifySelectionChanged(nsIDocument*, mozilla::dom::Selection*, short) src/layout/base/nsDocumentViewer.cpp:3789:16
#18 mozilla::dom::Selection::NotifySelectionListeners() src/dom/base/Selection.cpp:3489:15
#19 nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType) src/layout/generic/nsFrameSelection.cpp:1996:23
#20 mozilla::dom::Selection::AddRangeInternal(nsRange&, nsIDocument*, mozilla::ErrorResult&) src/dom/base/Selection.cpp:2207:28
#21 mozilla::dom::Selection::AddRangeJS(nsRange&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:2120:3
#22 mozilla::dom::Selection_Binding::addRange(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/SelectionBinding.cpp:317:9
#23 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3311:13
#24 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:445:15
#25 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:533:16
#26 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:584:12
#27 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3239:18
#28 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:425:12
#29 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:557:15
#30 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:584:12
#31 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:603:10
#32 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2915:12
#33 mozilla::dom::IdleRequestCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/WindowBinding.cpp:868:8
#34 mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/WindowBinding.h:720:12
#35 mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:74:14
#36 nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:700:19
#37 nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:730:21
#38 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1235:14
#39 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#40 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#41 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#42 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#43 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#44 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:937:22
#45 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#46 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#47 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#48 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:763:34
#49 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#50 main src/browser/app/nsBrowserApp.cpp:287:18
#51 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#52 _start (firefox+0x423d54)
Flags: in-testsuite?
Priority: -- → P3
status-firefox70: --- → affected

The attached test case not longer reproduces this issue and fuzzers are no longer hitting it.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: